Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function, has been allocated powers within a technology infrastructure, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and network administrator(s) who are responsible for keeping the system available; it may also comprise application, security, or database administrators. Specific privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write permission to a socket for communicating over the Web. Privileged users play a crucial and sensitive role in the organisation. Having privileged access to various IT resources in order to their job, they can access private and sensitive data within the organisation, create new user profiles as well as add to or amend the powers and access rights of existing users. Such high level access means that any mistakes they make can have serious consequences, and if they abuse their rights for personal reasons, the results of their actions can be very serious indeed. Do organisations understand the power and control that is in the hands of these privileged users? Regulatory authority and other compliance inspections have revealed that in many cases organisations of all sizes have little real understanding of the work carried out by systems administrators and other members of the privileged user community. They typically underestimate and overlook the risks they may run if the activities of administrators / privileged users are not controlled in the manner expected by the organisation s security strategy. Also, there are many examples of hackers targeting privileged accounts and successfully gaining access to critical business applications and data. Privileged accounts are one of the primary targets for hackers as it gives them the keys to the kingdom! This recent CA research The benefits for IT managers of controlling and monitoring their own activities highlights how organisations underestimate the importance of privileged user management. For example, the ISO 27000 series of standards for IT management that is adopted by about 40% of the respondents to the survey explicitly states that the allocation and use of privileges shall be restricted and controlled. However, despite wide spread claims to have adopted the standard, many business admit to bad practices with regard to privileged user management that are in direct contraventions of it. The CA research reveals a number of bad practices, such as the sharing of privileged user accounts. This points to wider bad practice such as the use a default privileged account users names and even passwords. Elsewhere, the research reveals that almost 41% of respondents admitted that their organisations shared administrator accounts between users for operating system access a figure which rose to over 50% for network administrators.
What rules, standards and regulations are there to protect organisations from malicious or inadvertent PUM? Organisations today are faced with addressing an ever-growing list of compliance initiatives. The most well-known are Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the European Union Data Protection Directive 95/46, the Japanese Personal Information Protection Act (JPIPA), and additional regulations and guidelines. Additionally, initiatives such as the Payment Card Industry Data Security Standard (PCI DSS) have considerable impact on any company that handles credit cards. PCI DSS establishes standard requirements protecting cardholder information. It applies to all entities that store, process or transmits cardholder data, such as retail merchants, payment processors and banks. Among the requirements for PCI DSS compliance is rigorous access control. To comply, organisations must reduce administrative privileges through secure privilege delegation on Windows and Active Directory, alert on failed administrator/user access and AD/Group Policy object changes, and publish their data control policies. The ISO27001 security standard also advocates that the allocation and use of privileges should be restricted and controlled. For example, the access privileges associated with each system product, e.g. operating system, database management system and each application (and the users to which they need to be allocated) should be identified. Privileges should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy. And an authorisation process and a record of all privileges allocated should be maintained. It also demands that the development and use of system routines should be promoted to avoid the need to grant privileges to users; and that privileges should be assigned to a different user ID from those used for normal business use. In Italy, the Garante (personal data protection watchdog) has issued a series of measures that organisations need to adopt in the management of system administrators and other privileged users. New rules are coming into force which call on all private companies and public bodies to ensure that their work is monitored. For example, systems must be introduced to log access by systems administrators to IT systems and electronic archives; the activity of the systems administrator must be monitored at least annually to ensure it fully complies with all organisational, technical and security provisions; and corporate security plans must include the name of each systems administrator and their assigned duties. Corporate executives are pushing their organisations to comply with these regulations or face personal liability and the threat of criminal and/or civil penalties. They are being pressured to improve access security for Windows, UNIX, and Linux systems by legislation, internal and external auditing requirements, and general security concerns. Yet it is a feature of these operating systems that administrators require access at a level that would allow them to view and change critical data without being audited. In the context of information security, almost all of this legislation comes down to the principle of least privilege. This requires that in a particular abstraction layer of a computing environment, every module whether it is a process, a user or a program must be able to access only such information and resources that are necessary to its legitimate purpose. When applied to users, the terms least user access or leastprivileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible.
How does the typical organisation currently tackle the issue of PUM? According to the CA security research, around 24% of organisations have some form of manual control in place for overseeing the actions of and controlling the access of privileged users. Despite the availability of more sophisticated systems and the clear case for them, only around 22 have actually deployed a full PUM system. However, the high number of organisations (47%) that say they have plans (albeit often delayed ones) suggests a high awareness of the benefits. Organisations that rely on manual processes have to create and manage redundant user files in multiple systems to allow access. They hand out the root passwords to each person that needs privileged access and then cannot make changes to the password for fear of locking people out. Sometimes when problems occur, the systems administrator is under suspicion and they have no way to prove that they were not the one who caused the problem. Some organisations have a basic check out, check-in system that allows them to track who had the unlimited access and when, but it does not control or reliably track what the user does with the full super-user account. The disadvantages of these approaches are clear. A reliance on manual processes for monitoring and controlling privileged users is time-consuming, excessively expensive, unreliable and prone to error. Ultimately it results in a very real threat to the organisational security that the manual PUM processes were originally introduced to overcome. What options are there to help companies prevent incidents and ensure PUM compliance? Clearly, it is in the interest of individual IT managers, the IT department as whole and the overall business to have measures in place to control and monitor privileged users. An ideal starting point is to ensure that all default privileged user accounts are identified and closed down. However, this can be a huge task, given the scale of operating systems, networking devices, security systems, databases, business applications and other IT infrastructure components. It would be slow and impractical to rely on manual processes to manage these and making sure they follow corporate policy and audit requirements. Here, PUM automation software can be deployed which understands the wide range of systems that businesses use and enforces the necessary policies to ensure compliance with corporate standards. With the default accounts under control it is then necessary to grant privileged user rights in specific areas to those who require it. Some businesses attempt to perform this necessary security task manually; issuing one off passwords and mailing them around in spreadsheets or storing them in sealed envelopes in a safe, allowing access for a given period of time, before changing the password back again. This has the obvious flaw that some higher level privileged user would still have all the access rights that good practice PUM tries to avoid, as well as being non-scalable and cumbersome. Organisations can also consider deploying a system that can search for and lock out default accounts. Such a system could also be used to assign privileged access to certain systems to individuals whose actions are monitored whilst they are working. It could also be used to manage the assignment of one time passwords on particularly sensitive systems. However, solving the issue of shared administrator accounts is only part of the problem.
What does an organisation need to consider in order to address their PUM challenges? The first step must be to look at privileged user management as a major business and risk management issue not as parochial IT subject. The issue of PUM should be owned by the business and high level executives who are educated in the issue. By understanding at a strategic level the risks inherent in privileged users having access to sensitive data, organizations can more quickly overcome the funding obstacles inherent in such a cause. Second, the optimal way to control, monitor, and measure privileged users is to deploy tools that fully automate the management of privileged user accounts, the assignment of privileged user access, and enable the full monitoring of their activities. Fine-grained access control should be an integral feature of the PUM solution. Besides offering greater control, integrity and transparency within an organisation, this control also addresses the requirement to cater for the principle of least privilege which helps satisfy many of the compliance and best practice requirements. Regulations require finegrained controls and cross-platform consistency to ensure the separation of duties for example. Additionally, in the event of a compromise, the ability to research the incident forensically is also required. This way an auditor will not only know who checked out a password and when, but will also be able to identify what the privileged user did with the password. Third, it is also important to consider a PUM solution that helps the organisation move along a maturity model and one that adapts to the changing needs of the business. The solution needs the flexibility to be deployed quickly to support basic privileged user passwords. Simultaneously, to follow the principle of least privilege and more effectively meet compliance requirements, the same tool needs to provide fine-grained access control and auditing across disparate resources. How can CA Access Control answer the PUM problem? CA Access Control provides organisations powerful control over privileged users. CA Access Control is the only solution that is capable of controlling privileged users and providing temporary privileged access across servers, applications and devices all from a single, central management console. Key features include: Policy-based access control. Access is prohibited or allowed based on security policies or rules. Fine grained access control. Granular control of what a user can or cannot do, includes file level access controls. Policy Management. Centralised, highly scalable policy management and access controls can be applied uniformly across UNIX (AIX, HP, and Sun), z-linux, Linux (Redhat), and Microsoft systems or individually tailored for each platform. Secure Audit. Secures audit files to ensure they cannot be deleted or modified by administrators or super users; reports that track who did what. Robust Reporting (out-of-the-box and custom). CA Access Control provides 60+ types of reports for compliance submission including segregation of duty reports, privileged user access, password policy, etc.
Privileged User Password Management (PUPM). Provides access to privileged accounts, on a temporary, one-time use basis, or as necessary while providing user accountability of their actions through secure auditing. Support for PUPM is available for servers, applications and devices in a physical or virtual environment. UNIX Authentication Broker (UNAB). Credential checking of UNIX users from Microsoft Active Directory which allows the consolidation of authentication and account information Unified Console. A single Web User Interface consolidates the management of host access control and Privileged User Management. Why is this a unique PUM solution? CA is the only vendor that is including market-leading host access control within a featurerich privileged user management offering, all managed from a single console that provides a single user interface. The solution focuses on three key features: Privileged User Password Management (PUPM): While protecting against external threats remain an area of focus for IT, the need to provide application and device protection against internal threats is becoming more important. Managing and providing access to privileged accounts, even on a temporary, one-time use basis, is necessary all while providing user accountability of their actions in a shared account. UNIX Authentication Broker (UNAB): The use of Microsoft Windows in IT server configurations continues to grow and requires a co-existence with UNIX servers that allows the consolidation of authentication and account information. Unified Console: Common Web User Interface consolidates information and facilitates policy administration from a centralized management interface. What are the benefits of CA Access Control to the C-level executive (including CEO or Chief Risk & Compliance Officer)? Provides a new level of comfort to IT security management allowing an IT team to easily manage and track privileged user activities on the systems that they are responsible for. Introduces a complete solution to all aspects of privileged user management protecting critical servers, applications, and devices across platforms and operating systems, and helps ensure regulatory compliance. Allows IT security management to mandate detailed policy-based controls for privileged user access to system resources, monitor their activity, and control under what circumstances access is allowed. Enables systems administrators to create and consistently enforce the desired level of control, resulting in greater security for the organisation s critical IT resources and data while providing the necessary accountability.
What are the benefits of CA Access Control to the VP or Director of Security/CISO? Controls and monitors access to a diverse set of server-based resources, to satisfy internal policies and external compliance regulations. Enables cross-platform creation, deployment, and management of complex, finegrained access controls. Unlike native operating systems that only provide basic controls on a single platform, the solution can deploy granular policies on multiple platforms to provide the security required and the tracking necessary to meet internal and external compliance requirements. Offers an important layer of protection against critical data loss events that can be devastating to a company s reputation and finances. What are the benefits of CA Access Control to the users? Provides a new level of control to the systems administrator to easily manage and track privileged user activities on the systems that they are responsible for. Complete solution to all aspects of PUM, protecting critical servers, applications, and devices across platforms and operating systems, and helps ensure regulatory compliance. Allows systems administrators to create and enforce policy-based controls for privileged user access to system resources, monitor their activity, and control under what circumstances access is allowed. Provides greater accountability and gives the systems administrator increased control of their critical resources.